The United Nations Exposed Database Left Sensitive Information Accessible on the Internet

A database containing sensitive, sometimes personal information from the United Nations Trust Fund to End Violence Against Women was freely accessible online, revealing more than 115,000 files related to organizations working with or receiving funding from UN Women. The documents range from personnel information and contracts to letters and even detailed financial research about organizations working with vulnerable communities around the world, including under repressive regimes.

Security researcher Jeremiah Fowler discovered a website, which was not password protected or otherwise controlled access, and disclosed the findings to the UN, which secured the website. Such incidents are rare, and many researchers often find and disclose examples of exposures to help organizations correct data management errors. But Fowler insists that this volatility is why it’s important to continue to raise awareness about the threat of such maladjustment. The UN Women website is a good example of a small mistake that can create additional risks for women, children, and LGBTQ people living in hostile situations around the world.

“They’re doing great work and helping real people on the ground, but the cybersecurity aspect is still important,” Fowler tells WIRED. “I’ve gotten a lot of information before, including all kinds of government agencies, but these organizations help people who are at risk to be who they are, where they are.”

A spokesperson for UN Women tells WIRED in a statement that the organization appreciates the cooperation of cybersecurity researchers and integrates any external findings with its telemetry and monitoring.

“In accordance with our incident response process, immediate protective measures were taken and investigative steps are being taken,” said a spokesperson for the database obtained by Fowler. “We are in the process of evaluating how we can communicate with people who may be affected so that they are aware and aware and incorporate the lessons learned to avoid similar incidents in the future.”

Data can expose people in many ways. At the organizational level, some financial audits include bank account information, but in general, disclosures provide granular information on where each organization receives funding and how it budgets. The information includes a breakdown of operating costs, and information about employees that can be used to map connections between social groups in a country or region. Such information is ripe for misuse in scams since the UN is such a trusted organization, and the exposed data can provide details of internal operations and may serve as templates for malicious actors to create legitimate-looking communications purporting to come from the UN.